CVE-2015-2060

cabextract before 1.6 does not properly check for leading slashes when extracting files, which allows remote attackers to conduct absolute directory traversal attacks via a malformed UTF-8 character that is changed to a UTF-8 encoded slash.

Published: Nov 29, 2019
Updated: Apr 13, 2023
CVE: CVE-2015-2060
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
cabextract_project / cabextract	-	1.6

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151145.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151147.html
http://www.cabextract.org.uk/
http://www.mandriva.com/security/advisories?name=MDVSA-2015:064
http://www.openwall.com/lists/oss-security/2015/02/18/3
http://www.openwall.com/lists/oss-security/2015/02/23/16
http://www.openwall.com/lists/oss-security/2015/02/23/24

Vulnerability Database

289,697

CVE-2015-2060